Everyone loves milestone birthdays and this year - depending on who you believe - web access management (WAM) turns ten. Or 11. Or maybe its 12. Kids grow up so fast.
Since those early days, WAM has evolved to provide increasingly sophisticated authentication, authorization, and auditing capabilities. Some products provide critical identity administration capabilities such as delegated administration and self-service password resets. Unfortunately, cyberattacks have also become increasingly sophisticated, resulting in risk to end users and organizations alike. While the nature and scope of attacks has evolved, traditional access management systems have not broken the mold of their core triple-A capabilities.
The reasons people deploy access management are changing, rapidly. Systems originally intended to protect internal web resources for employees are now being adapted to externally facing applications and user populations. With regulatory compliance, web services, and outsourced services have come new requirements, additional complexity, and multi-domain integrations. Because WAM focuses on protecting web- and Java-based applications, additional solutions must be deployed to enable access management for the perimeter, network, desktop, client applications and mainframe-based systems. In addition, most applications and databases still implement access control internally.
Meanwhile, a typical organization's environment has become more complex and heterogeneous, making integration more difficult and causing costs to soar.
The landscape in which this collection of access management solutions operates is also changing. Today's business requirements motivate organizations to control access at a more granular level than ever before. The emergence of user centric authentication and claims-based authorization models has left companies and vendors alike scrambling to adapt their architectures to radically different use cases. As companies begin to expose more services to partners and consumers, the need to proactively identify risky transactions and protect users from fraud and identity theft is growing almost exponentially.
To meet this laundry list of requirements, WAM solutions clearly need to evolve. The result of this evolution is a new generation of access management solutions, which we will call Access Management 2.0. (Hey, we've got Identity 2.0 and Web 2.0, so why not?)
In order to achieve Access Management 2.0, four key things need to happen: convergence that results in a complete, best of breed, end-to-end solution; provide higher levels of identity assurance, risk management, and fraud detection; evolve to provide finer grained, application centric authorization and compliance management; and create a highly interoperable, hot-pluggable and standards-based solution.
One of the first steps toward Access Management 2.0 is convergence of the many coexisting types of authentication mechanisms – strong and multi-factor, web, desktop, thick client and mainframe, enterprise application, database, network and perimeter, and federated. The objectives of convergence are to simplify the process of authentication, centralize policy and credential management, and apply one solution simultaneously and consistently across all layers of the IT infrastructure and for both internal and external user groups. Convergence and simplification will help make it easier to adapt user centric authentication – especially models such as OpenID, which does not inherently incorporate trust, or Microsoft Cardspace, which in some cases delegates significant control of credentials to the end-users – to an enterprise authentication architecture.
Risk management and identity assurance
The new requirements driving Access Management 2.0 require greater and more dynamic adaptability to risk as well as the ability to provide identity assurance as an ingrained component of the architecture. Access management solutions and the applications and infrastructure they protect must be built from the ground up to better understand and interpret context and environment; provide pattern recognition and anomaly detection based on user behavior; give the ability to match policy and rules to risk criteria; incorporate anti-fraud and anti-phishing techniques; and correlate events or historical data through advanced forensics and analytics. All of these capabilities will allow the system to dynamically adjust policies and decisions to adapt to new conditions.
Typical enterprise applications combine rich contextual input, powerful policy administration, a deep repository of entitlements, and reporting tools to achieve fine-grained authorizations and compliance management. Access Management 2.0 applies this model to the rest of the enterprise by evolving the coarse-grained capabilities provided by WAM, providing tools for developers to externalize security and identity from new applications, leveraging standards to create interoperable policies, creating a framework for correlating diverse access requests and decisions, and delivering the information required for compliance dashboards. Applying new concepts like claims-based authorizations guarantees access to a greater pool of policy protected attributes and ensures greater privacy for end users while making the authorization system more flexible and adaptable. By combining end-to-end authentication, risk management, and context-based authorizations, Access Management 2.0 will help organizations better answer the question, "Who is this user and should I transact business with her?"
Hot pluggable integration
Interoperability is key. IT infrastructure is becoming more complex and being built on a more diverse collection of platforms and technologies. Providing a common layer for policy management and enforcement for heterogeneous environments is absolutely mandatory for coordinating security and identity across this diversity. Components based on standards such as Security Assertion Markup Language (SAML), Service Provisioning Markup Language (SPML), Business Process Execution Language (BPEL), eXtensible Access Control Markup Language (XACML), WS-Trust, and other WS-* protocols will provide a foundation for a secure, reusable access management architecture.
Moving to access management 2.0
Achieving Access Management 2.0 will not happen as the result of big bang upgrades. Much depends on understanding how new solutions impact user behavior, how new requirements impact architecture, and when new capabilities can be sensibly and safely deployed. Success will be measured by the ease with which solutions achieve the most common coexistence and migration scenarios.
-Eric Leach is senior group product manager for identity management at Oracle;
Frank Villavicencio is former director of product management for identity management at Oracle